# TrueRecall v2 - Master Audit Checklist (GIT/PUBLIC) **For:** `.git_projects/true-recall-v2/` (Sanitized Public Directory) **Version:** 2.2 **Last Updated:** 2026-02-25 10:07 CST --- ## Overview This checklist validates the **git/public directory** is properly sanitized with placeholders, no credentials, and ready for public release. Use this before every git push. --- ## Recent Fixes (2026-02-25) | Issue | Status | Fix | |-------|--------|-----| | Embedding model mismatch | ✅ Fixed | Changed curator to `snowflake-arctic-embed2` | | Gems had no vectors | ✅ Fixed | Updated `store_gem()` to use `text` field | | JSON parsing errors | ✅ Fixed | Simplified extraction prompt | | Watcher stuck on old session | ✅ **Fixed** | Restarted watcher service | | Plugin capture 0 exchanges | ✅ **Fixed** | Added `extractMessageText()` for array content | | Plugin exchanges working | ✅ **Verified** | 9 exchanges extracted per session | --- ## SECTION 1: Pre-Push Security Checks ### 1.1 Critical Security Scan | # | Check | Command | Expected | Status | |---|-------|---------|----------|--------| | 1.1.1 | No hardcoded IPs | `grep -rE "10\.[0-9]+\.[0-9]+\.[0-9]+" --include="*"` | 0 results | ☐ | | 1.1.2 | No 192.168.x.x | `grep -rE "192\.168\.[0-9]+\.[0-9]+" --include="*"` | 0 results | ☐ | | 1.1.3 | No 172.16-31.x.x | `grep -rE "172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+" --include="*"` | 0 results | ☐ | | 1.1.4 | No localhost IPs | `grep -rE "127\.0\.0\.[0-9]+" --include="*"` | 0 results | ☐ | | 1.1.5 | No IPv6 locals | `grep -rE "\[?::1\]?" --include="*"` | 0 results | ☐ | ### 1.2 Credentials Scan | # | Check | Command | Expected | Status | |---|-------|---------|----------|--------| | 1.2.1 | No passwords | `grep -ri "password" --include="*.py" --include="*.md" --include="*.sh"` | 0 results | ☐ | | 1.2.2 | No tokens | `grep -ri "token" --include="*.py" --include="*.md" --include="*.json"` | 0 results | ☐ | | 1.2.3 | No API keys | `grep -riE "api[_-]?key|apikey" --include="*"` | 0 results | ☐ | | 1.2.4 | No secrets | `grep -ri "secret" --include="*.py" --include="*.md"` | 0 results | ☐ | | 1.2.5 | No private keys | `grep -ri "private.*key\|privkey" --include="*"` | 0 results | ☐ | | 1.2.6 | No auth strings | `grep -riE "auth[^o]" --include="*.py" --include="*.json"` | 0 results | ☐ | ### 1.3 .git/config Security - CRITICAL | # | Check | Command | Expected | Status | |---|-------|---------|----------|--------| | 1.3.1 | No tokens in URLs | `grep "url = " .git/config` | No `user:token@` pattern | ☐ | | 1.3.2 | No HTTP auth | `grep "url = " .git/config | grep -v "^http://[^/]*$"` | Clean URLs | ☐ | | 1.3.3 | HTTPS remotes | `grep "url = " .git/config` | All HTTPS or SSH | ☐ | | 1.3.4 | Remote sanity | `git remote -v` | 2-3 remotes, no tokens | ☐ | | **1.3.5** | **⚠️ NO TOKENS IN CREDENTIAL HELPER** | `grep -E "(password|token|ghp_|github_pat)" .git/config` | **MUST BE 0** | ☐ | | **1.3.6** | **⚠️ NO CREDENTIAL HELPER WITH SECRETS** | `cat .git/config | grep -A5 "\[credential\]"` | **NO HARDCODED PASSWORDS** | ☐ | **CRITICAL WARNING:** Kimi has accidentally pushed tokens TWICE before. **ALWAYS** verify 1.3.5 and 1.3.6 before pushing! ### 1.4 File Scan | # | Check | Expected | Status | |---|-------|----------|--------| | 1.4.1 | No .env files | 0 .env files | ☐ | | 1.4.2 | No .pem files | 0 .pem files | ☐ | | 1.4.3 | No .key files | 0 .key files | ☐ | | 1.4.4 | No id_rsa files | 0 id_rsa files | ☐ | | 1.4.5 | No .p12 files | 0 .p12 files | ☐ | | 1.4.6 | No .pfx files | 0 .pfx files | ☐ | --- ## SECTION 2: Placeholder Verification ### 2.1 IP Placeholders | # | Placeholder | Used For | Found? | Status | |---|-------------|----------|--------|--------| | 2.1.1 | `` | Qdrant endpoint | ☐ | ☐ | | 2.1.2 | `` | Ollama endpoint | ☐ | ☐ | | 2.1.3 | `` | Redis endpoint | ☐ | ☐ | | 2.1.4 | `` | Gitea server | ☐ | ☐ | | 2.1.5 | `` | OpenClaw gateway | ☐ | ☐ | ### 2.2 Path Placeholders | # | Placeholder | Used For | Found? | Status | |---|-------------|----------|--------|--------| | 2.2.1 | `~/` | Home directory | ☐ | ☐ | | 2.2.2 | `` | OpenClaw install | ☐ | ☐ | | 2.2.3 | `` | User home | ☐ | ☐ | | 2.2.4 | `` | systemd location | ☐ | ☐ | ### 2.3 Config Placeholders | # | Placeholder | Used For | Found? | Status | |---|-------------|----------|--------|--------| | 2.3.1 | `` | API key example | ☐ | ☐ | | 2.3.2 | `` | Token example | ☐ | ☐ | | 2.3.3 | `` | Password example | ☐ | ☐ | | 2.3.4 | `` | Date example | ☐ | ☐ | | 2.3.5 | `` | Timestamp example | ☐ | ☐ | --- ## SECTION 3: File Completeness ### 3.1 Required Files Present | # | File | Purpose | Status | |---|------|---------|--------| | 3.1.1 | `README.md` | Main documentation | ☐ | | 3.1.2 | `session.md` | Session notes | ☐ | | 3.1.3 | `checklist.md` | Installation checklist | ☐ | | 3.1.4 | `curator-prompt.md` | Curation prompt | ☐ | | 3.1.5 | `install.py` | Installation script | ☐ | | 3.1.6 | `push-all.sh` | Push script | ☐ | ### 3.2 Scripts Directory | # | File | Purpose | Status | |---|------|---------|--------| | 3.2.1 | `tr-continuous/curator_timer.py` | Timer curator | ☐ | | 3.2.2 | `tr-continuous/curator_config.json` | Curator config | ☐ | ### 3.3 No Local-Only Files | # | Check | Expected | Status | |---|-------|----------|--------| | 3.3.1 | No debug_curator.py | Not in git | ☐ | | 3.3.2 | No test_curator.py | Not in git | ☐ | | 3.3.3 | No migrate_*.py | Not in git | ☐ | | 3.3.4 | No tr-daily/ | Not in git (archived) | ☐ | | 3.3.5 | No tr-compact/ | Not in git (concept) | ☐ | --- ## SECTION 4: Script Validation ### 4.1 curator_timer.py | # | Check | Expected | Status | |---|-------|----------|--------| | 4.1.1 | No hardcoded IPs | Uses env vars | ☐ | | 4.1.2 | No absolute paths | Uses `~/` | ☐ | | 4.1.3 | Syntax valid | `python3 -m py_compile` passes | ☐ | | 4.1.4 | Executable bit | `chmod +x` set | ☐ | | 4.1.5 | Uses placeholders | ``, `` | ☐ | ### 4.2 install.py | # | Check | Expected | Status | |---|-------|----------|--------| | 4.2.1 | No hardcoded IPs | Uses prompts | ☐ | | 4.2.2 | No absolute paths | Uses defaults | ☐ | | 4.2.3 | Syntax valid | `python3 -m py_compile` passes | ☐ | | 4.2.4 | Interactive prompts | Asks for URLs | ☐ | ### 4.3 push-all.sh | # | Check | Expected | Status | |---|-------|----------|--------| | 4.3.1 | No hardcoded paths | Uses `$PWD` | ☐ | | 4.3.2 | No tokens | Clean script | ☐ | | 4.3.3 | Syntax valid | `bash -n` passes | ☐ | | 4.3.4 | Executable bit | `chmod +x` set | ☐ | --- ## SECTION 5: Documentation Quality ### 5.1 README.md | # | Check | Expected | Status | |---|-------|----------|--------| | 5.1.1 | Uses placeholders | ``, `` | ☐ | | 5.1.2 | No hardcoded paths | `~/` not `/root/` | ☐ | | 5.1.3 | Clear instructions | Step-by-step | ☐ | | 5.1.4 | Config examples | Generic examples | ☐ | | 5.1.5 | Troubleshooting | Common issues listed | ☐ | ### 5.2 session.md | # | Check | Expected | Status | |---|-------|----------|--------| | 5.2.1 | Uses placeholders | ``, `` | ☐ | | 5.2.2 | No hardcoded paths | `~/` not `/root/` | ☐ | | 5.2.3 | Current state | Up to date | ☐ | | 5.2.4 | Validation commands | Generic commands | ☐ | ### 5.3 checklist.md | # | Check | Expected | Status | |---|-------|----------|--------| | 5.3.1 | Uses placeholders | ``, etc. | ☐ | | 5.3.2 | Pre-install checks | Generic commands | ☐ | | 5.3.3 | Post-install validation | Generic commands | ☐ | | 5.3.4 | Troubleshooting | Common issues | ☐ | ### 5.4 curator-prompt.md | # | Check | Expected | Status | |---|-------|----------|--------| | 5.4.1 | Uses placeholders | `` | ☐ | | 5.4.2 | No hardcoded IPs | Placeholders only | ☐ | | 5.4.3 | Updated architecture | No Redis refs | ☐ | | 5.4.4 | Correct collection | `memories_tr` not `kimi_memories` | ☐ | --- ## SECTION 6: Git Hygiene ### 6.1 Git Status | # | Check | Command | Expected | Status | |---|-------|---------|----------|--------| | 6.1.1 | Clean working tree | `git status` | No uncommitted changes | ☐ | | 6.1.2 | No untracked files | `git status` | 0 untracked or added | ☐ | | 6.1.3 | Proper .gitignore | `cat .gitignore` | Blocks sensitive files | ☐ | | 6.1.4 | No large files | `find . -size +10M` | 0 large files | ☐ | ### 6.2 Commit Quality | # | Check | Expected | Status | |---|-------|----------|--------| | 6.2.1 | Descriptive message | Clear summary | ☐ | | 6.2.2 | Atomic changes | One feature per commit | ☐ | | 6.2.3 | Signed (optional) | GPG signed | ☐ | ### 6.3 Remote Configuration | # | Check | Expected | Status | |---|-------|----------|--------| | 6.3.1 | GitHub remote | Configured | ☐ | | 6.3.2 | Gitea remote | Configured | ☐ | | 6.3.3 | GitLab remote | Configured | ☐ | | 6.3.4 | All clean | No tokens in URLs | ☐ | --- ## SECTION 7: Error Prevention ### 7.1 Common Mistakes | # | Mistake | Prevention | Check | Status | |---|---------|------------|-------|--------| | 7.1.1 | Forgetting to sanitize | Run this checklist | ☐ | ☐ | | 7.1.2 | Leaving tokens | Scan with grep | ☐ | ☐ | | 7.1.3 | Hardcoding IPs | Use placeholders | ☐ | ☐ | | 7.1.4 | Absolute paths | Use `~/` | ☐ | ☐ | | 7.1.5 | Local-only files | Check 3.3.1-3.3.5 | ☐ | ☐ | ### 7.2 Pre-Push Checklist - MANDATORY | # | Step | Command | Status | |---|------|---------|--------| | **7.2.1** | **🔴 CHECK .git/config FOR TOKENS** | `grep -E "(password|token|ghp_|github_pat)" .git/config` | ☐ **MUST PASS** | | **7.2.2** | **🔴 VERIFY NO CREDENTIAL HELPER SECRETS** | `cat .git/config | grep -A5 "\[credential\]"` | ☐ **MUST PASS** | | 7.2.3 | Run security scan | Section 1.1-1.2 | ☐ | | 7.2.4 | Verify placeholders | Section 2.1-2.3 | ☐ | | 7.2.5 | Check file completeness | Section 3.1-3.3 | ☐ | | 7.2.6 | Validate scripts | Section 4.1-4.3 | ☐ | | 7.2.7 | Review docs | Section 5.1-5.4 | ☐ | | 7.2.8 | Check git hygiene | Section 6.1-6.3 | ☐ | --- ## SECTION 8: Function Verification (Generic) ### 8.1 Config Validity | # | File | Check | Expected | Status | |---|------|-------|----------|--------| | 8.1.1 | `curator_config.json` | JSON syntax | Valid JSON | ☐ | | 8.1.2 | `curator_config.json` | Required keys | All present | ☐ | | 8.1.3 | `curator_config.json` | Value types | Correct types | ☐ | ### 8.2 Script Syntax | # | File | Check | Command | Status | |---|------|-------|---------|--------| | 8.2.1 | `curator_timer.py` | Python syntax | `python3 -m py_compile` | ☐ | | 8.2.2 | `install.py` | Python syntax | `python3 -m py_compile` | ☐ | | 8.2.3 | `push-all.sh` | Bash syntax | `bash -n push-all.sh` | ☐ | ### 8.3 Documentation Links | # | Check | Expected | Status | |---|-------|----------|--------| | 8.3.1 | Internal links valid | All `#section` work | ☐ | | 8.3.2 | No broken references | No `TODO` or `FIXME` | ☐ | | 8.3.3 | Consistent formatting | Same style throughout | ☐ | --- ## SECTION 9: Comparison with Local ### 9.1 Sync Status | # | Check | Local | Git | Match? | |---|-------|-------|-----|--------| | 9.1.1 | README structure | Same | Same | ☐ | | 9.1.2 | session structure | Same | Same | ☐ | | 9.1.3 | checklist structure | Same | Same | ☐ | | 9.1.4 | Config structure | Same | Same | ☐ | ### 9.2 Content Differences | # | Check | Local (Real) | Git (Placeholder) | Expected | |---|-------|--------------|-------------------|----------| | 9.2.1 | Qdrant IP | 10.0.0.40 | `` | ✅ | | 9.2.2 | Ollama IP | 10.0.0.10 | `` | ✅ | | 9.2.3 | Paths | /root/... | ~/... | ✅ | | 9.2.4 | Usernames | rob | rob or generic | ✅ | --- ## SECTION 10: Final Review ### 10.1 Sign-Off | # | Reviewer | Date | Notes | Signature | |---|----------|------|-------|-----------| | 10.1.1 | Security scan | | | | | 10.1.2 | Sanitization | | | | | 10.1.3 | Functionality | | | | | 10.1.4 | Documentation | | | | ### 10.2 Ready to Push - MANDATORY CHECKS | # | Check | Status | |---|-------|--------| | **10.2.1** | **🔴 .git/config contains NO tokens** (Section 1.3.5-1.3.6) | ☐ **MUST PASS** | | **10.2.2** | **🔴 No credential helper with secrets** (Section 7.2.1-7.2.2) | ☐ **MUST PASS** | | 10.2.3 | All Section 1 checks passed | ☐ | | 10.2.4 | All Section 2 checks passed | ☐ | | 10.2.5 | All Section 3 checks passed | ☐ | | 10.2.6 | All Section 4 checks passed | ☐ | | 10.2.7 | All Section 5 checks passed | ☐ | | 10.2.8 | All Section 6 checks passed | ☐ | | 10.2.9 | All Section 7 checks passed | ☐ | ### 10.3 Push Command ```bash # After all checks pass: cd ~/.openclaw/workspace/.git_projects/true-recall-v2 ./push-all.sh "Your descriptive commit message" ``` --- ## Quick Reference: Security Scan Commands ```bash # Scan for private IPs grep -rE "10\.[0-9]+\.[0-9]+\.[0-9]+" --include="*" grep -rE "192\.168\.[0-9]+\.[0-9]+" --include="*" grep -rE "172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+" --include="*" # Scan for credentials grep -ri "password\|token\|secret\|api.?key" --include="*" # Scan for absolute paths grep -rE "/(root|home)/[a-z]+" --include="*" # Check .git/config cat .git/config | grep url # Find sensitive files find . -name "*.pem" -o -name "*.key" -o -name ".env*" -o -name "id_rsa" ``` --- ## Emergency: Found Sensitive Data If you find sensitive data after pushing: 1. **Immediately** revoke the exposed credential 2. Remove from git history: `git filter-branch` or BFG Repo-Cleaner 3. Force push to all remotes 4. Notify affected parties --- *This checklist is for GIT/PUBLIC directory validation only.* *For local development checks, see `audit_checklist.md` in `.local_projects/true-recall-v2/`*